Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add column of last login date/time for Target users?

dmcavoy
New Member
‎07-31-2014 07:16 AM

How can I add a column for my below search that displays a result for the Target_Account_Name's last login date/ time?

index=windows_sec "EventCode=630" OR "EventCode=4726" | eval "Time and Date"=strftime(_time, "%H:%M %Y/%m/%d") | table "Time and Date" "Target_Account_Name" "Caller_Domain" "ComputerName" "Caller_User_Name" | rename "Target_Account_Name" as "Username" "Caller_Domain" as "Domain" "ComputerName" as "Computer Name" "Caller_User_Name" as "Deleted By"

0 Karma
Reply

somesoni2
Revered Legend
‎08-01-2014 06:50 AM

Try something like this 

index=windows_sec "EventCode=630" OR "EventCode=4726" "EventCode=528" OR "EventCode=4624"
| stats first(<<Field from "EventCode=528" OR "EventCode=4624" which have last login date>>) as last_login_date, first(<<other rqquired fields from  "EventCode=630" OR "EventCode=4726">> ... by Target_Account_Name

Assuming that Target_Account_Name is the common user name field for all these event codes.

0 Karma
Reply

dmcavoy
New Member
‎08-01-2014 06:30 AM

Yeah both those event codes do have logs. Am I going to have to perform a join query for this then? I specifically need event code 630 and 4726 as they are event codes for deleted windows accounts.

0 Karma
Reply

somesoni2
Revered Legend
‎07-31-2014 07:36 AM

Does your logs contain entries with "EventCode=528" OR "EventCode=4624" ?? These entries contains successful login details and you can use those entries to get your last login date/time.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...